This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When joining second firewall in HA mode it wipes the configuration on both UTMs

I have a SG310 configured (with alot of configuration done by myself), when i turn on the secondary firewall, plug in a cable between Eth3(HA) on both UTMs it wipes all of the configuration on both UTMs back to the default configuration. I selected Automatic configuration in the options. I even manually configured my primary one as the preferred master. Why is it doing this? How do i create the HA cluster without this happening?



This thread was automatically locked due to age.
  • This time i ran through the initial configuration wizard on the second UTM, i applied the base license from myutm.sophos.com. Then i noticed i get "Licensing Info - This page is disabled as you either do not have a relevant subscription or the relevant subscription has expired!" - what license am i supposed to have?? I thought you don't need a special HA license to join it if you're doing it in active/passive? 

    So this time i joined the second UTM to my primary UTM (with loads of config already on it) and after connecting the HA ports together it shut down my first UTM!!! WHAT???

    Can someone from Sophos please respond?

  • I'm not sure if I got it right, but did you configure both nodes?

    So you should configure only one node with all your settings. Then you can add a node. Please make sure that the second node is at the same version level (UTM 9.xxx). Sometimes this happens that if both aren't at same level the HA can't build up.

    Also please make sure that the second node is factory reset before you connect it. This is not mandatory but for simplification you could do this.

    from the manual:


    Automatic configuration: Sophos UTM features a plug-and-play configuration option for UTM appliances that allows the setup of a hot standby system/cluster without requiring reconfiguration or manual installation of devices to be added to the cluster. Simply connect the dedicated HA interfaces (eth3) of your UTM appliances with one another, select Automatic configuration for all devices, and you are done.

    Note Automatic configuration is only enabled by default on appliances with a fixed eth3 port. On appliances which only offer modular (removable) FlexiPort modules this feature is disabled by default but can be enabled on any preferred port (Sync NIC) as described further below.

    Note – For Automatic configuration to work, all UTM appliances must be of the same model. For example, you can only use two UTM 320 appliances to set up a HA system; one UTM 220 unit on the one hand and one UTM 320 unit on the other hand cannot be combined.

    ... 

    Setting up the master, slaves, or workers is pretty similar. Proceed as follows:

    1. Select a high availability operation mode.

      By default, high availability is turned off. The following modes are available:

      • Automatic Configuration
      • Hot Standby (active-passive)
      • Cluster (active-active)

      Note – If you want to change the high availability operation mode, you must always set the mode back to Off before you can change it to either Automatic Configuration, Hot Standby, or Cluster.

      Note – If the license/subscription has expired or is non-existent, the operation mode changing is limited to Off and the current operation mode.

      Depending on your selection, one or more options will be displayed.

    2. Make the following settings:

      Sync NIC: Select the network interface card through which master and slave systems will communicate. If link aggregation is active you can select here a link aggregation interface, too.

      Note – It is recommended to separate the HA synchronization from the other network traffic. For example VLAN.

      Note – Only those interfaces are displayed that have not been configured yet. It is possible to change the synchronization interface in a running configuration. Note that afterwards all nodes are going to reboot.

      The following options can only be configured if you either select Hot Standby or Cluster as operation mode:

      Device name: Enter a descriptive name for this device.

      Device node ID: Select the node ID of the device. In a case of a failure of the primary system, the node with the highest ID will become master.

      Encryption key: The passphrase with which the communication between master and slave is encrypted (enter the passphrase twice for verification). Maximum key length is 16 characters.

    3. Click Apply.

      The high-availability failover is now active on the device.


    Please tell us if you made any progress with that.

    Best regards

    Alex

    P.S. This is a user forum, if you need sophos support you should contact them directly.

    -

  • Factory reset of the secondary UTM got it working. Even though it was already 'factory reset' out of the box and connected for the first time anyway...

  • "... when i turn on the secondary firewall, plug in a cable between Eth3(HA) on both UTMs ..."

    Turning the Slave on is the last step after all connections are made.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA